Setting up Easy VPN in Cisco Configuration Professional, external access problems!

Hi
I have a Cisco 857 router which is flashed with Cisco Configuration Express 2.6.
Cisco Configuration Professional 2.6 is installed on my PC and I'm trying to configure Easy VPN for access away from the office.
The steps I have taken are as follows:
1) I launched the Easy VPN Server Wizard
2) IP address of Virtual Tunnel Interface is unnumbered to Vlan1 from the drop down menu - Authentication, Pre Shared Key
3) IKE Proposals set to the default option thats already there
4) Transform set is the default which is already there
5) Method list for group policy Lookup is LOCAL
6) User authentication is LOCAL ONLY, the admin account shows up in ADD USER CREDENTIALS which is the account i'm going to test the connection with
7) I have set up a GROUP POLICY which i've named, created a PRE SHARED KEY, created an IP address pool & subnet mask to the same range as the routers addresses and left all other options to default
8) I left cTCP unticked and disabled
9) I delivered the commands succesfully
10) I click TEST VPN SERVER and get 3 ticks successful for Server configuration, dependant components & Firewall
11) I open the cisco client and access the VPN internally using the routers LAN address, it prompts for my user name and password, I type it in and connect successfully
12) When I go home I configure my client to the same settings except I change the LAN address for the external WAN ip address, but I get an error message which says "Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding"
VPN Client settings are as follows
Group Authentication
Enable Transparent Tunneling- IPSec over UDP (NAT / PAT)
Currently I have a dynamic external IP address, I intend to get a static one once I know I can get this to work.
I would be extremely greatful if someone could help me solve this issue and work out why I can't connect externally.
I have no knowledge of CLI but will use it if given some instructions.
Thanks.
P.S. I have turned off all antivirus and firewall programs on the client computer when trying to connect.

Your nat exemption acl is backwards...
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
should be...
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Similar Messages

  • ISM-SRE-300-K9 & Cisco Configuration Professional Issue

    hi there,
    i have a cisco 2901 router running CME 8.6 the router has a ISM-SRE-300-K9 card init with Unity Express 8.0.5 installed.
    i am having issues with Cisco configuration professional and configuring the module
    under module configuration the status is "module is not reachable", if i click on details i get further information "unable to execute command from the module. module is either reloading or is in failed state. you must make the module up and refresh the module"
    i have tried reloading, resetting and refreshing the module but the issue is still present
    i have accessed the module from the CLI set it in offline mode and factory defaulted it and the same issue is still present
    the only thing i can think is that this is a bug with CCP as the loopback interface which the module is using can be pinged fine from the router so the message makes no sense.
    any ideas

    Is you problem with CCP or the module itself ?
    Because, CCP bugs and limitations aside, the module can be normally be installed, configured and managed using CLI or its web interface (after software is initially loaded).

  • Can't launch Cisco Configuration Professional on Windows Vista x64

    The Help is necessary to resole the issue (see subject).
    Tech enveronment
    Windows Vista x64
    Adobe Reader X ver. 10.1.0 (Russian)
    Cisco Configuration Professional 2.5
    JRE 6 update 27
    JRE 6 update 27 (64-bit)
    Internet Explorer 9.0.8112.16421IS
    While launch CCP popup the message box :
    "Unable to read the resource file. The file could be corrupted. Please re-install Cisco Configuration Professional to resolve the issue."
    Ones (never popup after) Popup the message box (InstallShield Wizard):
    Adode Reader is not present on the PC. It is required to view the PDF file.
    Also the message box InstallShield Wizard:
    Internet Explorer with javaplug-in version 1.6.0_11   Cheked
    Adobe Flash Player version 10                              Cheked
    Memory 1 Gb                                                      Cheked
    Screen Resolution 1024x768                                Cheked
    Cuted _cpinstaller_004.log file:
    Product : Cisco Configuration Professional version 1.0
    10-4-2011 16:48:31 LOG   : Command line options =
    10-4-2011 16:48:31 LOG   : GetOS: OS Windows Vista
    10-4-2011 16:48:31 LOG   : GetOSServicePack: service pack 2
    10-4-2011 16:48:31 LOG   : GetIEVersion: IE version 9.0.8112.16421
    10-4-2011 16:52:51 LOG   : CheckCCPPorts: WARNING 80 is not a registered HTTP port
    10-4-2011 16:53:27 ERROR : SetRunAsAdmin: ERROR REG_APP_COMBAT_LAYERS_ROOT could not be created.
    10-4-2011 16:53:46 LOG   : GetJavaIEPluginVersion: java IE plugin version 1.6.0_27
    10-4-2011 16:53:47 LOG   : GetFlashPlayerVersion: flash player version 10
    10-4-2011 16:53:47 LOG   : GetScreenResolution: screen resolution 8
    10-4-2011 16:54:14 LOG   : OpenPDFFile: Adobe reader could not be found on system.
    10-4-2011 16:56:17 LOG   : OnEnd: installation successfully completed.

    Hi,ngoldwat!
    Yes, off cource, I've tried to launch CCP with Administartor rights - no success.
    I have re-installed CCP under Local Admin and launched it. Great!!! It works! But, one of but, the app does not launch from domain user while I use Run as Administrator. I think the issue in the permission and/or user's profile.
    Thanks ngoldwat! You have helped me.

  • Can Cisco Configuration Professional to use IPS feature ?

    Dear Expert
    Hello.
    Could you tell me about Cisco Configuration Professional.
    I'd like to try the IOS-IPS on Cisco2901-SEC/K9.
    I was search in CCO about Cisco Configuration Professional.
    The Cisco2901-SEC/K9 does not support SDM.
    But, The Cisco2901-SEC/K9 supported the Cisco Configuration Professional.
    Can Cisco Configuration Professional to use IPS feature like SDM?
    Regards,
    Takuro.

    Hi,
    yes, you can configure IOS IPS from Cisco Configuration Professional.
    CCP has a wizard to guide you through the process, this is a link for that :
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8066d265.html
    i hope this helps you.
    Mashal

  • Cisco Configuration Professional on Windows 8.1

    Trying to run CCP 2.7 on Windows 8.1.  I've already changed the compatibility view settings and the program launches just fine and the view is correct.  I am not able to type anything in any of the field.  I think this may be due to a Java version or setting.  I have downgraded my jave to JRE 1.6.0_11.  Any help would be great.  What am I missing.  Thanks in advance.

    I already had the setting in Java and added localhost in IE.  Same result.  Program will launch but when trying to add devices to the community, I am unable to type anything in any of the fields.
    What else would you suggest I use to manage my devices?  Consider I am not friendly with IOS commands and need a GUI interface.  Thanks.

  • Cisco Configuration professional corrupt

    I downloaded the full zip from http://tools.cisco.com/support/downloads/go/Model.x?mdfid=281795035&mdfLevel=null&treeName=Routers&modelName=Cisco%20Configuration%20Professional&treeMdfId=268437899
    from the 1st link, but it seems to be corrupt. The 2nd link gets to the download page but then redirects away to say its not available. What gives?

    I sent a message to thier web-help support address. If I hear back I'll post.

  • Cisco Configuration Professional Error

    I just start using CCP .. and It is only opening to half or 1/3 of the ie window. updated adobe no juice. Java? Need some help!!!!! Kind of frustrated since i have trying to get it work for past 1 week.

    The solution for this was covered in the Network Management forum at this thread.

  • Cisco Configuration Professional - Takes lot of time on discovering

    Dear All,
    We are using CCP since a long time without any issue but suddenly it takes a lot of time to discovering a single device than usual.
    Can anyone help me on this?
    Thanks.

    Dear All,
    We are using CCP since a long time without any issue but suddenly it takes a lot of time to discovering a single device than usual.
    Can anyone help me on this?
    Thanks.

  • Cisco Configuration Professional - Monitor - Traffic Status - Application traffic view

    Installed the Latest version of CCP. Noticed that it use Internet Explorer as the default browser.
    Current issue - Monitor - Traffic Status - Application traffic view show a window that is to large for my current screen,
    I've tried several options to make it more viewable, but no luck.
    Screenshot, Explaining the issue - Notice the difficulty to view the graphs
    Any advice will be appreciated.
    Philip

    I've manage to fix it by changing the zoom on Internet Explorer

  • Easy VPN Server? Hmmm.. Not so Easy...

    I used the Cisco Configuration Professional to add an Easy VPN Server to my 3825. I'm able to connect when remote but I can't ping the default gateway of 192.168.1.1 which is in the same network as the VPN DHCP pool. I can access every single other device on the VLAN segments but not the default gateway which means when i connect I can't look at my router. And there's more,  I cannot ping anything offnet (ie 75.75.75.75). Below is my config. Attached are some images which show some details from the client during the VPN connect and a few from the router (i had to use the lan switch as a jump host). If you can figure this out before I go back to the coffee shop to test this tomorrow I will send you a cake.
    One thing I just thought of, does the virtual-tempalte 1 interface have to have "nat inside" applied?
    Current configuration : 12356 bytes
    ! Last configuration change at 17:21:16 EDT Sat Nov 24 2012 by cluettr
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname router-wan
    boot-start-marker
    boot system flash:c3825-advipservicesk9-mz.151-4.M5.bin
    boot-end-marker
    logging buffered 100000000
    enable password xxxxxxxxxx
    aaa new-model
    aaa authentication login default local
    aaa authentication login ciscocp_vpn_xauth_ml_1 local
    aaa authorization exec default local
    aaa authorization network ciscocp_vpn_group_ml_1 local
    aaa session-id common
    clock timezone EDT -4 0
    dot11 syslog
    no ip source-route
    ip dhcp excluded-address 192.168.1.1 192.168.1.199
    ip dhcp excluded-address 172.16.2.1 172.16.2.199
    ip dhcp excluded-address 172.16.3.1 172.16.3.199
    ip dhcp excluded-address 172.16.4.1 172.16.4.199
    ip dhcp pool 192.168.1.0
    network 192.168.1.0 255.255.255.0
    dns-server 192.168.1.1
    default-router 192.168.1.1
    lease infinite
    ip dhcp pool 172.16.2.0
    network 172.16.2.0 255.255.255.0
    dns-server 172.168.2.1
    default-router 172.168.2.1
    lease 0 4
    ip dhcp pool 172.16.3.0
    network 172.16.3.0 255.255.255.0
    dns-server 172.16.3.1
    default-router 172.16.3.1
    lease infinite
    ip dhcp pool 172.16.4.0
    network 172.16.4.0 255.255.255.0
    dns-server 172.16.4.1
    default-router 172.16.4.1
    lease 0 4
    ip dhcp pool 172.16.5.0
    network 172.16.5.0 255.255.255.0
    dns-server 172.16.5.1
    default-router 172.16.5.1
    lease infinite
    ip cef
    ip domain name robcluett.net
    no ipv6 cef
    multilink bundle-name authenticated
    voice-card 0
    voice service voip
    allow-connections sip to sip
    sip
      registrar server expires max 600 min 60
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP-self-signed-423317436
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-423317436
    revocation-check none
    rsakeypair TP-self-signed-423317436
    archive
    log config
      hidekeys
    vtp domain robcluett.net
    vtp mode transparent
    vtp version 2
    username xxxxxxx privilege 15 secret 5 $1$q8RN$N/gL80J2Rj9qOILvzXPgS.
    redundancy
    vlan 3-5
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group cisco
    key xxxxxxxxxxxxxxxxxxxx
    dns 75.75.75.75
    domain robcluett.net
    pool SDM_POOL_2
    crypto isakmp profile ciscocp-ike-profile-1
       description "VPN Default Profile for Group Cisco"
       match identity group cisco
       client authentication list ciscocp_vpn_xauth_ml_1
       isakmp authorization list ciscocp_vpn_group_ml_1
       client configuration address respond
       client configuration group cisco
       virtual-template 1
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec profile CiscoCP_Profile1
    set security-association idle-time 86400
    set transform-set ESP-3DES-SHA
    set isakmp-profile ciscocp-ike-profile-1
    interface Loopback0
    description "Circuitless IP Address / Router Source IP"
    ip address 172.16.1.1 255.255.255.254
    interface GigabitEthernet0/0
    description "WAN :: COMCAST via DHCP"
    ip address dhcp client-id GigabitEthernet0/0
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat outside
    ip virtual-reassembly in
    duplex full
    speed 100
    media-type rj45
    interface GigabitEthernet0/1
    no ip address
    duplex auto
    speed auto
    media-type rj45
    no mop enabled
    interface GigabitEthernet1/0
    description "Uplink to switch-core-lan (Catalyst 2948G-GE-TX)"
    switchport mode trunk
    no ip address
    interface Virtual-Template1 type tunnel
    ip unnumbered GigabitEthernet0/0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile CiscoCP_Profile1
    interface Vlan1
    description "LAN :: VLAN 1 :: PRIVATE 192.168.1.0"
    ip address 192.168.1.1 255.255.255.0
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly in
    interface Vlan2
    description "LAN :: VLAN 2 :: PUBLIC 172.16.2.0"
    ip address 172.16.2.1 255.255.255.0
    ip access-group 102 in
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly in
    interface Vlan3
    description "WLAN :: VLAN 3 :: PRIVATE SSID=wlan-ap-private (not broadcast)"
    ip address 172.16.3.1 255.255.255.0
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly in
    interface Vlan4
    description "WLAN :: VLAN 4 :: PUBLIC SSID=wlan-ap-public"
    ip address 172.16.4.1 255.255.255.0
    ip access-group 104 in
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly in
    rate-limit input 1024000 192000 384000 conform-action transmit exceed-action drop
    rate-limit output 5120000 960000 1920000 conform-action transmit exceed-action drop
    interface Vlan5
    description "EDMZ :: VLAN 5 :: 10.10.10.0"
    ip address 10.10.10.1 255.255.255.0
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly in
    interface Vlan6
    description "IDMZ :: VLAN 6 :: 10.19.19.0"
    ip address 10.19.19.1 255.255.255.0
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly in
    interface Vlan7
    description "LAN :: VLAN 7 :: Voice 172.16.5.0
    ip address 172.16.5.1 255.255.255.0
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly in
    ip local pool SDM_POOL_2 192.168.1.200 192.168.1.254
    ip forward-protocol nd
    ip flow-export source Loopback0
    ip flow-top-talkers
    top 10
    sort-by bytes
    ip dns server
    ip nat inside source list 2 interface GigabitEthernet0/0 overload
    ip nat inside source static tcp 10.10.10.10 80 interface GigabitEthernet0/0 80
    ip nat inside source static tcp 10.10.10.51 443 interface GigabitEthernet0/0 443
    ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 2
    logging trap debugging
    logging source-interface Loopback0
    access-list 2 remark NAT
    access-list 2 permit 192.168.1.0 0.0.0.255
    access-list 2 permit 172.16.2.0 0.0.0.255
    access-list 2 permit 172.16.3.0 0.0.0.255
    access-list 2 permit 172.16.4.0 0.0.0.255
    access-list 2 permit 172.16.5.0 0.0.0.255
    access-list 2 permit 10.10.10.0 0.0.0.255
    access-list 2 permit 10.19.19.0 0.0.0.255
    access-list 100 remark WAN Firewall Access List
    access-list 100 permit udp any eq bootps any eq bootpc
    access-list 100 permit tcp any any eq www
    access-list 100 permit udp any eq domain any
    access-list 100 permit tcp any any established
    access-list 100 deny   ip any any log-input
    access-list 102 remark VLAN 2 Prevent Public LAN Access to Other Networks
    access-list 102 deny   ip 172.16.2.0 0.0.0.255 192.168.1.0 0.0.0.255 log
    access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 log
    access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255 log
    access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.4.0 0.0.0.255 log
    access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.5.0 0.0.0.255 log
    access-list 102 permit ip any any
    access-list 104 remark VLAN 4 Prevent Public Wifi Access to Other Networks
    access-list 104 deny   ip 172.16.4.0 0.0.0.255 192.168.1.0 0.0.0.255 log
    access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255 log
    access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.2.0 0.0.0.255 log
    access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 log
    access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.5.0 0.0.0.255 log
    access-list 104 permit ip any any
    access-list 105 remark VLAN 5 Prevent EDMZ Access to Other Networks
    access-list 105 deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 log
    access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.2.0 0.0.0.255 log
    access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.3.0 0.0.0.255 log
    access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.4.0 0.0.0.255 log
    access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.5.0 0.0.0.255 log
    access-list 105 deny   ip 10.10.10.0 0.0.0.255 10.19.19.0 0.0.0.255 log
    access-list 105 permit ip any any
    snmp-server trap-source Loopback0
    snmp-server location xxxxxxxxxxxxxxxxxxxxx
    snmp-server contact xxxxxxxxxxxxxxxxxxxxxxx
    control-plane
    mgcp profile default
    telephony-service
    max-conferences 12 gain -6
    web admin system name cluettr password 11363894
    dn-webedit
    transfer-system full-consult
    line con 0
    line aux 0
    line vty 0 4
    transport input telnet ssh
    transport output all
    line vty 5 15
    transport input telnet ssh
    transport output all
    scheduler allocate 20000 1000
    ntp logging
    ntp source Loopback0
    end
    router-wan#

    I was under the impression that using the virtual template and ip unnumbered allows the interface to respond to the DHCP IP provided to Gi0/0 by my ISP. If I were to make, say, VLAN 1 the VPN interface how would I then access it from the WAN given that it has a Nat'd LAN IP? I guess port forwarding would work if that would have to be in addition to using a VLAN?
    > Here's a follow up question which you or someone might be able to answer for me. Sorry for dumping the added question on you. My ultimate goal is to have a WAN accessible VPN and a VPN residing on the local LAN. Reason is so I can secure with encryption any wifi clients I have on the LAN (preventing man-in-the-middle attacks) and be secured at, for exmaple, a coffe shop. I'm not sure if there's a means to have the same configured VPN work when attached locally or remotely? And if roaming in regards to a VPN is something that can be acheived...
    As an aside my reason for going to these lengths for security are valid. I've recently encountered a situation where I was hacked (this is my home network) using a MIMA and what I assume to be SSLstrip or some derivative to obtain my email address and password. Wasn't fun, wasn't pretty.

  • How can I set up a VPN on my mac?

    I am trying to set up a VPN cnnection so that I can access my work from my mac.  The system there is Windows based.  I have found articles about how to set up a VPN on a mac but there doesn't appear to be an area to put the static IP address or the computer IP address.  Any help would be appreciated!

    Have read the printer manual, it will contain instructions for connecting it to a network, and then to your Mac. You don't identify this printer so it's difficult to be more specific.
    You can also go to the printer manufacturers website and seek assistance there.

  • Cisco 876w: wlan client - routing problem

    I configured a Cisco 876w to connect to an existing WLAN as a client. Now I would like to connect 3 PCs to the 876w which should be able to access the internet via the 876w.
    Problem:
    Being at the console (ssh) of the 876w, I can ping hosts in the internet (even with their name like www.google.com) but when I'm using a client PC, I can't... What am I missing here? Could it be a NAT problem?
    Config:
    Internet <--->  DSL Router 192.168.1.1 (and WLAN AccessPoint)  <--->  Cisco 876w (gets IP per DHCP, VLAN1 IP: 10.10.10.1) <---> PC (10.10.10.101)
    Current configuration : 9897 bytes
    version 12.4
    no service pad...dot11 vlan-name wlan-lan vlan 1
    dot11 ssid WLAN
    vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 0923467F1B2E52789807132F7A202E3D31
    no ip source-route
    ip dhcp excluded-address 10.10.10.1 10.10.10.9
    ip dhcp excluded-address 10.10.10.101 10.10.10.254
    ip dhcp pool ccp-pool1
       import all
       network 10.10.10.0 255.255.255.0
       default-router 10.10.10.1
       domain-name cisco.test.com
       dns-server 208.67.222.222
    ip cef
    no ip bootp server
    ip domain name test.com
    ip name-server 208.67.222.222ip ddns update method sdm_ddns1
    HTTP
      add http://[email protected]/nic/update?system=dyndns&hostname=//[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
      remove http://[email protected]/nic/update?system=dyndns&hostname=//[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
    no ipv6 cef
    multilink bundle-name authenticated
    isdn switch-type basic-net3
    username admin privilege 15 secret 5 $1$uiouLKjbLIUBlKbj
    username service privilege 15 secret 5 $1$LKjblkJNBLKkjlbkm
    archive
    log config
      hidekeys
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    class-map type inspect match-all sdm-cls--1
    match access-group name AllowAny
    policy-map type inspect sdm-policy-sdm-cls--1
    class type inspect sdm-cls--1
      inspect
    class class-default
      drop
    zone security wan
    zone security lan
    zone-pair security sdm-zp-lan-wan source lan destination wan
    service-policy type inspect sdm-policy-sdm-cls--1
    interface BRI0
    description <--
    no ip address
    ip flow ingress
    ip virtual-reassembly
    encapsulation ppp
    shutdown
    dialer pool-member 1
    isdn switch-type basic-net3
    isdn point-to-point-setup
    ppp multilink!        
    interface ATM0
    backup interface BRI0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    shutdown
    no atm ilmi-keepalive
    interface ATM0.3 point-to-point
    description <--
    ip flow ingress
    shutdown
    pvc 1/32
      pppoe-client dial-pool-number 2
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface Dot11Radio0
    description <--
    no ip address
    no ip proxy-arp
    ip flow ingress
    ip virtual-reassembly
    no ip route-cache cef
    no ip route-cache
    encryption mode ciphers aes-ccm
    encryption vlan 1 mode ciphers aes-ccm
    ssid WLAN
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role non-root
    no cdp enable
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    ip address dhcp
    ip nat outside
    ip virtual-reassembly
    no ip route-cache
    no cdp enable
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
    ip address 10.10.10.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat inside
    ip virtual-reassembly
    zone-member security lan
    ip tcp adjust-mss 1412
    interface Dialer0
    ip ddns update hostname blahblah.dnsalias.com
    ip ddns update sdm_ddns1
    ip address negotiated
    ip nat outside
    ip virtual-reassembly
    zone-member security wan
    encapsulation ppp
    shutdown
    dialer pool 1
    dialer idle-timeout 600
    dialer string 01919214124
    dialer load-threshold 20 outbound
    dialer watch-group 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname asfa
    ppp chap password 7 128763520
    ppp pap sent-username asfa password 7 0302141555
    ppp multilink
    interface Dialer2
    ip ddns update sdm_ddns1
    ip address negotiated
    ip mtu 1452
    ip nat outside
    ip virtual-reassembly
    zone-member security wan
    encapsulation ppp
    dialer pool 2
    dialer-group 2
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname gast
    ppp chap password 7 095B239876473F06090A
    ppp pap sent-username gast password 7 1239847629873693D
    router rip
    network 10.0.0.0
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 192.168.1.1
    ip http server
    ip http access-class 23ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 105 interface Dialer0 overload
    ip nat inside source list 106 interface Dot11Radio0.1 overload
    ip access-list extended AllowAny
    remark CCP_ACL Category=128
    permit ip 10.10.10.0 0.0.0.255 any
    ip access-list extended nix
    remark tut nix
    remark CCP_ACL Category=2
    permit tcp any any
    permit udp any any
    permit icmp any any
    permit ip any any
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit 10.10.10.0 0.0.0.255
    access-list 100 remark CCP_ACL Category=2
    access-list 100 permit ip any any
    access-list 101 remark CCP_ACL Category=2
    access-list 101 permit ip 10.10.10.0 0.0.0.255 any
    access-list 102 remark CCP_ACL Category=2
    access-list 102 permit ip 10.10.10.0 0.0.0.255 any
    access-list 103 remark CCP_ACL Category=2
    access-list 103 permit ip 10.10.10.0 0.0.0.255 any
    access-list 105 remark Alles
    access-list 105 remark CCP_ACL Category=2
    access-list 105 permit ip 10.10.10.0 0.0.0.255 any
    access-list 105 permit icmp 10.10.10.0 0.0.0.255 any
    access-list 105 permit udp 10.10.10.0 0.0.0.255 any
    access-list 105 permit tcp 10.10.10.0 0.0.0.255 any
    access-list 106 remark NAT wlan
    access-list 106 remark CCP_ACL Category=2
    access-list 106 permit ip 10.10.10.0 0.0.0.255 any
    access-list 106 permit icmp 10.10.10.0 0.0.0.255 any
    access-list 106 permit udp 10.10.10.0 0.0.0.255 any
    access-list 106 permit tcp 10.10.10.0 0.0.0.255 any
    dialer watch-list 1 ip 208.67.222.222 255.255.255.255
    dialer-list 1 protocol ip permit
    no cdp run
    radius-server attribute 32 include-in-access-req format %h
    radius-server vsa send accounting
    control-plane
    banner exec ^C
    % Password expiration warning.
    Cisco Configuration Professional (Cisco CP) is installed on this device
    and it provides the default username "cisco" for  one-time use. If you have
    already used the username "cisco" to login to the router and your IOS image
    supports the "one-time" user option, then this username has already expired.
    You will not be able to login to the router with this username after you exit
    this session.
    It is strongly suggested that you create a new username with a privilege level
    of 15 using the following command.
    username <myuser> privilege 15 secret 0 <mypassword>
    Replace <myuser> and <mypassword> with the username and password you
    want to use.
    ^C
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    line con 0
    no modem enable
    transport output telnet
    line aux 0
    transport output telnet
    line vty 0 4
    transport input telnet ssh
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end
    #sh ip int brief
    ndrmedienturm#sh ip int brief
    Interface                  IP-Address      OK? Method Status                Protocol
    FastEthernet0              unassigned      YES unset  up                    up     
    FastEthernet1              unassigned      YES unset  up                    down   
    FastEthernet2              unassigned      YES unset  up                    down   
    FastEthernet3              unassigned      YES unset  up                    down   
    BRI0                       unassigned      YES NVRAM  standby mode/disabled down   
    BRI0:1                     unassigned      YES unset  administratively down down   
    BRI0:2                     unassigned      YES unset  administratively down down   
    Dot11Radio0                unassigned      YES TFTP   up                    up     
    Dot11Radio0.1              unassigned      YES DHCP   up                    up     
    ATM0                       unassigned      YES NVRAM  administratively down down   
    ATM0.3                     unassigned      YES unset  administratively down down   
    SSLVPN-VIF0                unassigned      NO  unset  up                    up     
    Vlan1                      10.10.10.1      YES NVRAM  up                    up     
    NVI0                       unassigned      YES unset  administratively down down   
    Dialer0                    unassigned      YES NVRAM  administratively down down   
    Dialer2                    unassigned      YES NVRAM  up                    up     
    Virtual-Dot11Radio0        unassigned      YES TFTP   up                    up     
    Virtual-Dot11Radio0.1      192.168.1.54    YES DHCP   up                    up

    Hi,
    Just check it out few things from client are you able to ping the wan interface of the cisco 876w and when you ping the internt address from client pc what is the out put of the nat translation in router.
    The command to check the same is show ip nat translation is packet is gettin translated or not.
    Hope to Help !!
    Ganesh.H

  • Cisco 28xx easy vpn server & MS NPS (RADIUS server)

    Здравстуйте.
    Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
    Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
    На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
    Ниже выдежка из сонфига cisco 2821:
    aaa new-model
    aaa authentication login rausrs local
    aaa authentication login VPN-XAUTH group radius
    aaa authorization network ragrps local
    aaa authorization network VPN-GROUP local
    aaa session-id common
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local RAPOOL
    crypto isakmp client configuration group ra1grp
    key key-for-remote-access
    domain domain.local
    pool RAPOOL
    acl split-acl
    split-dns 192.168.11.9
    crypto isakmp client configuration group EasyVPN
    key qwerty123456
    domain domain.local
    pool RAPOOL
    acl split-acl
    split-dns 192.168.11.9
    crypto isakmp profile RA-profile
       description profile for remote access VPN
       match identity group ra1grp
       client authentication list rausrs
       isakmp authorization list ragrps
       client configuration address respond
    crypto isakmp profile VPN-IKMP-PROFILE
       description profile for remote access VPN via RADIUS
       match identity group EasyVPN
       client authentication list VPN-XAUTH
       isakmp authorization list VPN-GROUP
       client configuration address respond
    crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
    crypto dynamic-map dyn-cmap 100
    set transform-set tset1
    set isakmp-profile RA-profile
    reverse-route
    crypto dynamic-map dyn-cmap 101
    set transform-set tset1
    set isakmp-profile VPN-IKMP-PROFILE
    reverse-route
    crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
    int Gi0/1
    descrition -- to WAN --
    crypto map stat-cmap
    В результате на cisco вылезает следующая ошибка (выделено жирным):
    RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
    RADIUS:  AAA Unsupported Attr: interface         [157] 14
    RADIUS:   31 39 34 2E 38 38 2E 31 33 39 2E 31              [194.88.139.1]
    RADIUS(000089E0): Config NAS IP: 192.168.11.1
    RADIUS/ENCODE(000089E0): acct_session_id: 35296
    RADIUS(000089E0): sending
    RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
    RADIUS:  authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
    RADIUS:  User-Name           [1]   9   "EasyVPN"
    RADIUS:  User-Password       [2]   18  *
    RADIUS:  Calling-Station-Id  [31]  16  "aaa.bbb.ccc.137"
    RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
    RADIUS:  NAS-Port            [5]   6   1
    RADIUS:  NAS-Port-Id         [87]  16  "aaa.bbb.ccc.136"
    RADIUS:  Service-Type        [6]   6   Outbound                  [5]
    RADIUS:  NAS-IP-Address      [4]   6   192.168.11.1
    RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
    RADIUS:  authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
    RADIUS(000089E0): Received from id 1645/61
    MS NAS выдает ошибку 6273:
    Сервер сетевых политик отказал пользователю в доступе.
    За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
    Пользователь:
        ИД безопасности:            domain\VladimirK
        Имя учетной записи:            VladimirK
        Домен учетной записи:           domain
        Полное имя учетной записи:   domain.local/Users/VladimirK
    Компьютер клиента:
        ИД безопасности:            NULL SID
        Имя учетной записи:            -
        Полное имя учетной записи:    -
        Версия ОС:            -
        Идентификатор вызываемой станции:        -
        Идентификатор вызывающей станции:       aaa.bbb.ccc.137
    NAS:
        Адрес IPv4 NAS:        192.168.11.1
        Адрес IPv6 NAS:        -
        Идентификатор NAS:            -
        Тип порта NAS:            Виртуальная
        Порт NAS:            0
    RADIUS-клиент:
        Понятное имя клиента:        Cisco2821
        IP-адрес клиента:            192.168.11.1
    Сведения о проверке подлинности:
        Имя политики запроса на подключение:    Использовать проверку подлинности Windows для всех пользователей
        Имя сетевой политики:        Подключения к другим серверам доступа
        Поставщик проверки подлинности:        Windows
        Сервер проверки подлинности:        DC01.domain.local
        Тип проверки подлинности:        PAP
        Тип EAP:            -
        Идентификатор сеанса учетной записи:        -
        Результаты входа в систему:            Сведения об учетных данных были записаны в локальный файл журнала.
        Код причины:            66
        Причина:                Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
    Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
    Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
    Если кто практиковал подобное, прошу дать направление для поиска решения.

    Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
    replace the authorization from radius to local
    and
    changing the encryption type in transform set
    However, in your configuration, your configuration already have those changes.
    Here you can check the same : https://supportforums.cisco.com/thread/2226065
    Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Setting up IPsec VPNs to use with Cisco Anyconnect

    So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.
    I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.
    NOTE: We are still testing this ASA and it isn't in production.
    Any help you can give me is much appreciated.
    ASA Version 8.4(2)
    hostname ASA
    domain-name domain.com
    interface Ethernet0/0
    nameif inside
    security-level 100
    ip address 192.168.0.1 255.255.255.0
    interface Ethernet0/1
    nameif outside
    security-level 0
    ip address 50.1.1.225 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    no nameif
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    boot system disk0:/asa842-k8.bin
    ftp mode passive
    dns domain-lookup outside
    dns server-group DefaultDNS
    same-security-traffic permit intra-interface
    object network NETWORK_OBJ_192.168.0.224_27
    subnet 192.168.0.224 255.255.255.224
    object-group service VPN
    service-object esp
    service-object tcp destination eq ssh
    service-object tcp destination eq https
    service-object udp destination eq 443
    service-object udp destination eq isakmp
    access-list ips extended permit ip any any
    ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0
    no failover
    failover timeout -1
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup
    object network LAN
    nat (inside,outside) dynamic interface
    access-group outside_in in interface outside
    route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
    sysopt noproxyarp inside
    sysopt noproxyarp outside
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=ASA
    crl configure
    crypto ca server
    shutdown
    crypto ca certificate chain ASDM_TrustPoint0
    certificate d2c18c4e
        308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105
        0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
        f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
        6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331
        365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
        f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
        6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2
        8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
        37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
        234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782
        3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
        03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1
        cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
        18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
        beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
        af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398
      quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 10
    console timeout 0
    management-access inside
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
    anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
    anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
    anyconnect profiles VPN disk0:/devpn.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy VPN internal
    group-policy VPN attributes
    wins-server value 50.1.1.17 50.1.1.18
    dns-server value 50.1.1.17 50.1.1.18
    vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
    default-domain value digitalextremes.com
    webvpn
      anyconnect profiles value VPN type user
      always-on-vpn profile-setting
    username administrator password xxxxxxxxx encrypted privilege 15
    username VPN1 password xxxxxxxxx encrypted
    tunnel-group VPN type remote-access
    tunnel-group VPN general-attributes
    address-pool (inside) VPNPool
    address-pool VPNPool
    authorization-server-group LOCAL
    default-group-policy VPN
    tunnel-group VPN webvpn-attributes
    group-alias VPN enable
    tunnel-group VPN ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    class-map ips
    match access-list ips
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
      inspect http
    class ips
      ips inline fail-open
    class class-default
      user-statistics accounting

    Hi Marvin, thanks for the quick reply.
    It appears that we don't have Anyconnect Essentials.
    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 100            perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Active/Active  perpetual
    VPN-DES                           : Enabled        perpetual
    VPN-3DES-AES                      : Enabled        perpetual
    Security Contexts                 : 2              perpetual
    GTP/GPRS                          : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 250            perpetual
    Total VPN Peers                   : 250            perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    This platform has an ASA 5510 Security Plus license.
    So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

  • Need Help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

    Hi All,
    I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
    2811 having C2800NM-ADVIPSERVICESK9-M
    2811 router connects to the Internet SW then connects to the Internet router.
    Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
    Below is router config for VPN & NAT
    crypto keyring ISR_Keyring
      pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp keepalive 10
    crypto isakmp profile isa-profile
       keyring ISR_Keyring
       self-identity user-fqdn [email protected]
       match identity user vpn-proxy.websense.net
    crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
    crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
    set peer vpn.websense.net dynamic
    set transform-set ESP-NULL-SHA
    set isakmp-profile isa-profile
    match address 101
    interface FastEthernet0/1
    description connected to Internet
    ip address 216.222.208.101 255.255.255.128
    ip access-group HVAC_Public in
    ip nat outside
    ip virtual-reassembly
    duplex full
    speed 100
    no cdp enable
    crypto map GUEST_WEB_FILTER
    access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
    access-list 103 permit ip 192.168.8.0 0.0.3.255 any
    ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
    ip nat inside source list 103 interface FastEthernet0/1 overload
    ip nat inside source route-map nonat pool mypool overload

    How does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
    Check
    show crypto isakmp sa
    show crypto ipsec sa
    show crypto session
    You'd better remove the preshared key from your post.

Maybe you are looking for

  • How to use a grayscale color model in converting a colored image

    how to convert a colored image into grayscale using : ColorSpace cs = ColorSpace.getInstance(ColorSpace.CS_GRAY); int bits[] = new int[] {8}; ColorModel cm = new ComponentColorModel(cs, bits, false, false, Transparency.OPAQUE, DataBuffer.TYPE_BYTE);

  • Off center error bars

    I'm using AI CS2, and am running OSX 10.3.9. I use the copy/ paste function to copy graphs from a graphing program (Kaleidagraph) into illustrator. Whenever I paste a line graph with error bars, the error bars are always slightly off center to the ob

  • Crystal 10, RAS 10 Stack overflow

    On Crystal 10, RAS 10 using Crystal Interactive Viewer.  The error occurs when closing the viewer window. I receive a java alert: "Stack Overflow at line: 63" When I debugged I fount the error in the rendered javascript.  The debugger stopped on this

  • Sustitution of System.out.println in Graphical mode

    Dear Sirs: I am changing my applications to graphical mode. I would like to know what is the command that substitutes System.out.println in graphical mode. Thanks in advance

  • Accessing BAPI

    While going throught the documentaion i found different  ways to Call BAPI.Those are  Adaptive RFC with WebDynpro, SAP Java Resource Adapter, SAP Enterprise Connector,SAP Java Connector. We have SSO setup for portal and Backend R/3 using logon ticket